Posts tagged ‘ release’

The Spree team was recently alerted to several potential security vulnerabilities. If you believe you’ve found a security vulnerability, please do not post publicly about it. Email us at security@spreecommerce.com and we will investigate and fix the issue as quickly as possible.

Spree Roles Mass-assignment Vulnerability

The first vulnerability reported pertains to a mass-assignment vulnerability with spree roles. By passing the right parameters while updating a user, that user is able to assign any existing role to themselves. This is fixed in the latest release. You are strongly encouraged to upgrade if you are using Spree 1.1.x, 1.2.x or 1.3.×.

Unsafe Use of Constantize in Admin

The third vulnerability concerns unsafe reflections in parts of the Spree admin and affects any version of Spree >= 1.0.0. It is possible to instantiate an object of the user’s choice by passing the correct parameters to certain methods. As this vulnerability only pertains to the admin interface, we have not released a new version of Spree with this fix. However, this fix is available on Spree’s master branch as commit 70092eb.

Versions Affected

Spree 1.0.x – 1.3.x, Edge

The Fix

The problem can be addressed by updating to edge Spree. There is no urgent need to upgrade if you are running an affected version as long as your admin users can be trusted to not attempt a complicated technical exploit of this vulnerability.

We have just released Spree 0.60.2 which contains an important security fix. A vulnerability exists in the ProductScope class that could allow for unauthenticated remote command execution. To put it simply, you should either upgrade immediately or add your own custom fix based on this commit.

Special thanks to joernchen of Phenoelit for discovering and reporting the problem through the appropriate channels(which is a private email to security@railsdog.com.) Roman Smirnov (aka romul) provided the necessary fix.

The edge code has also been updated to include this fix. There are also a few other minor issues addressed in this release. See the Github compare view for the full details.

We are currently working on an improved solution for handling the reporting of security issues. We will be announcing a new initiative on this front in the near future.

The Spree team was recently alerted to a potential security vulnerability related to so-called JSON Hijacking. The potential exploit involves using social engineering to induce an administrator who is logged into Spree to visit a web page that contains code designed to exploit the vulnerability. If an authenticated admin loads a page containing this code in their browser it could expose sensitive user and order information via a JSON security exploit.

Most versions of Spree are affected including all versions of 0.11.x and the latest edge code for the upcoming 0.30.×. If you are running on an edge version of Spree, please update to the latest source code which includes these two important fixes.

Anyone using a previously released version of Spree is strongly encouraged to upgrade to the brand new 0.11.2 release. The new 0.11.2 release contains two crucial commits needed to address this vulnerability. The complete set of changes for the 0.11.2 release can be viewed in Github.

This is not a particularly new vulnerability nor is it unique to Spree. There is a very detailed blog post outlining the specifics of JSON Hijacking if you wish to read up on it further.

Special thanks to Conviso Security for reporting the problem to us as well as the team at Locaweb for helping us to test the fix. This was another great example of the OS community working together to report and fix security issues in a timely manner. Remember, if you spot a security issue, please do not report it in a public forum or issue tracker. Send an email to security@railsdog.com so we can address the issue before publicizing the vulnerability.